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CLAIMS 



What is claimed is: 

1. In a firewall device having a plurality of communication interfaces, a packet 
filtering component coupled to each of the interfaces, a switching component 
coupled to each of tiie interfaces, and a firewall services component coupled to 
the switching process, a firewall system comprising: 

a) a session manager operating in said firewall services component, said 
session mamager structured and configured to instantiate a plurality of 
sessions in ^id firewall services component and a plurality of mini- 
sessions in said switching process component, each said session having 
header and payload information related to a corresponding data 
transfer within the firewall device, each said mini-session corresponding 
to a session and including header information related the 
corresponding Idata transfer within the firewall device; and 

b) a firewall module operating in said switching process coupled to said 
mini-sessions, skid firewall module configured to intercept data packets 
received into the interfaces, said firewall module further configured to 
track session context of said data packets. 

2. The firewall system of claim 1, wherein said session manager is further 
structured and configured tq manage said sessions and said mini-sessions. 
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configured to interc 
component, said fir< 



3. The firewall syste m of claim 1, wherein said session manager is further 
structured and conf gured to delete said sessions and said mini-sessions. 

4. The firewall system of claim 1, wherein said firewall module is further 



;ppt data packets before reception by said packet filtering 
^vall module further configured to set a "pass" flag in data 
packets according matching header information in intercepted data packets and 
said header information in said mini-sessions. 



10 5. The firewall system of claim 4, wherein said packet filtering component is 
configured to bypass "Recess Control List" authorization of data packets 
having a "pass" flag. 
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6. The firewall system of claim 1, wherein said firewall module is further 
configured to intercept data packets before reception by said packet filtering 
component, said firewall module further configured to set a "do not divert" flag 
in data packets when pacHet inspection of said intercepted data packets does not 



require application-level in 



spection. 



20 7. The firewall system of cl^im 
bypass authorization of dati 
firewall services component 

8. In a firewall device having 
25 filtering component couplec 



6, wherein said firewall module is configured to 
packets having a "do not divert" flag with said 



a plurality of communication interfaces, a packet 
:o each of the interfaces, a switching component 
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a) providing a session 
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coupled to each of the interfa:es, and a firewall services component coupled to 
the switching process, a method for optimizing firewall processing comprising: 



manager in the firewall services component; 



b) providing a firewall module in the switching component; 



on, by said session manager, for data transfers 
device, said sessions having header and payload 
to data transfers within the firewall device; and 
session, by said session manager, corresponding to 
said instantiated seision, said mini-session having header information 
related to data transfers within the firewall device. 



c) instantiating a sess 
within the firewall 
information relatec 

d) instantiating a min 



9. The method of claim 8, further 

a) intercepting data pack 
by said firewall mqdule 
component; and 

b) setting a "pass" 
component is the 
information in saidimim-session. 



flsg 



comprising: 

ets having a header and a payload component, 
, before reception by the packet filtering 



in the intercepted data packets when said header 
intercepted data packets matches said header 



10. The method of claim 8, further comprising: 

a) checking data packets for a "pass" flag, by said packet filtering 
component; and 

b) bypassing "accesd control list" check, if a "pass" flag is found in said 
checked data paccets. 
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component; and 
b) setting a "do not d 



11. The method of claim 8, further comprising: 

a) intercepting data packets having a header and a pay load component, 
by said firewall module, before reception by the packet filtering 



vert" flag in the intercepted data packets when 



packet inspection does not require application-level inspection. 

12. The method of claim 8, further comprising: 

a) checking data packets for a "do not divert" flag, by said firewall 



module; and 
b) bypassing "access 



control list" check, if a "do not divert" flag is 



found in said checked data packets. 



13. The method of claim 8, further comprising bypassing authorization with the 
firewall services component! by the firewall module, for data packets header 
information matching headef information in said mini-sessions. 

14. The method of claim 8, further comprising deleting said session and associated 
mini-session when data transfer associated with said sessions and mini-session is 
completed. 



15. The method of claim 
mini-session when data transfer 
idle past a predetermined 



, further comprising deleting said session and associated 

associated with said sessions and mini-session is 
timeout period. 
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16. The method of claim 8, further comprising updating context of said mini- 
session, by said firewall module, without/sending packets to said firewall services 
component. 
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5 17. A program storage device readable/by a machine, tangibly embodying a 
program of instructions executable by/ the machine to perform a method for 
optimizing firewall processing in a firewall device having a plurality of 
communication interfaces, a packet filtering component coupled to each of the 
interfaces, a switching component Coupled to each of the interfaces, and a firewall 

10 services component coupled to the switching process, said method comprising: 

a) providing a session manager in the firewall services component; 

b) providing a firewall nyodule in the switching component; 

c) instantiating a session, by said session manager, for data transfers 
within the firewall device, said sessions having header and payload 

15 information related/to data transfers within the firewall device; and 

d) instantiating a mini-session, by said session manager, corresponding to 
said instantiated session, said mini-session having header information 
related to data transfers within the firewall device. 



20 18. The program storage device of claim 17, said method further comprising: 

a) intercepting data packets having a header and a payload component, 
by said firewfill module, before reception by the packet filtering 
component; /and 
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b) setting a "pass" fl 
component is the 
information in saic 



g in the intercepted data packets when said header 
intercepted data packets matches said header 
mini-session. 



19. The program storage device of claim 17, said method further comprising: 

a) checking data paqkets for a "pass" flag, by said packet filtering 
component; and 

b) bypassing "access Control list" check, if a "pass" flag is found in said 
checked data packets. 

20. The program storage device of claim 17, said method further comprising: 

a) intercepting data packets having a header and a pay load component, 
by said firewall mo iule, before reception by the packet filtering 
component; and 

b) setting a "do not d vert" flag in the intercepted data packets when 
said intercepted da a packets packet inspection does not require 
application-level inspection. 



21 . The program storage devifce 

a) checking data pac 
module; and 

b) bypassing "access 
found in said chetked 



of claim 17, said method further comprising: 
ets for a "do not divert" flag, by said firewall 



control list" check, if a "do not divert" flag is 
data packets. 
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22. The program storage device of claim 17, said method further comprising 
bypassing authorization with the firewall services component, by the firewall 
module, for data packets header information matching header information in said 
mini-sessions. 



23. The program storage devi ce of claim 17, said method further comprising 
deleting said session and associated mini-session when data transfer associated 
with said sessions and mini-se:ssion is completed. 

10 24. The program storage device of claim 17, said method further comprising said 
session and associated mini-session when data transfer associated with said 



sessions and mini-session is id 



e past a predetermined timeout period. 



25. The program storage device of claim 17, said method further comprising 
15 updating context of said mini-session, by said firewall module, without sending 
packets to said firewall services component. 
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